Protecting the Player– Information Security Concerns

Gus Fritschie@gfritschie

March 21, 2014

© SeNet International Corp. 2014 2 March 2014

SeNet Overview

While there is the potential for attacks against the iGaming application and infrastructure, it is easier to attack the consumer.

Why spend days trying to exploit a SQL Injection vulnerability when all you need to do is have a player click a link.

The focus of this talk is on protecting the player.

© SeNet International Corp. 2014 3 March 2014

SeNet Houston, We Have a Problem

© SeNet International Corp. 2014 4 March 2014

SeNet Barcelona Laptop Incident

http://pokerfuse.com/news/live-and-online/confirmed-ept-barcelona-laptop-infected-with-screen-sharing-trojan-11-12/

© SeNet International Corp. 2014 5 March 2014

SeNet Las Vegas Sands Hacked

© SeNet International Corp. 2014 6 March 2014

SeNet What Can Sites Do?

There are many steps that sites can take to help protect their players, here are some:

• Security Awareness • User security controls (i.e.

password policy, multi-factor authentication, account lockout)

• Site security controls (i.e. SSL, secure coding, secure configuration)

• Continuous Monitoring

© SeNet International Corp. 2014 7 March 2014

SeNet Security Awareness

• Operators need to do more to raise security awareness among their customers.

• This could take the form of logon messages, emails, or other forms of communication.

• Last year Poker Stars released a guide on protecting your laptop that was distributed at an EPT event in the wake of the Barcelona hotel incident.

• Learn a lesson from Facebook.

© SeNet International Corp. 2014 8 March 2014

SeNet User Controls

• Password complexity requirements

• Session timeout

• Account Lockout

• Multiple Sessions

• Dual-factor authentication

• IP/MAC Restrictions

• Logon Notification

© SeNet International Corp. 2014 9 March 2014

SeNet Site Controls

• Security Code Reviews

• 3rd Party and Internal Security Reviews

• Secure architecture design and implementation

• Configuration Management

• Encryption (data-in-transit and data-at-rest)

© SeNet International Corp. 2014 10 March 2014

SeNet Continuous Monitoring

• Collusion/bot detection

• Abnormal activity/win rates

• Account Activities

• Logging/SIEM

• Important to monitor not only technical controls, but management and operational controls too

© SeNet International Corp. 2014 11 March 2014

SeNet Examples

© SeNet International Corp. 2014 12 March 2014

SeNet Security Configuration Issues

© SeNet International Corp. 2014 13 March 2014

SeNet Authentication Weaknesses

http://www.onlinepokerreport.com/9529/authentication-comparison-two-nj-igaming-sites/

© SeNet International Corp. 2014 14 March 2014

SeNetBackend Password and Username

Exposed in Request

© SeNet International Corp. 2014 15 March 2014

SeNetPassword Stored in Clear-text in

Database

Using the forgot password function the password is sent via email and is the same password as initially set. This indicates passwords are stored in clear-text.

© SeNet International Corp. 2014 16 March 2014

SeNet Weak Password Policy